Bug 1732428 - cacert.p12 fails to get imported.
Summary: cacert.p12 fails to get imported.
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.1
Assignee: Thomas Woerner
QA Contact: ipa-qe
Depends On:
Blocks: 1727835
TreeView+ depends on / blocked
Reported: 2019-07-23 11:18 UTC by Christian Heimes
Modified: 2021-01-27 14:49 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-01-27 14:48:56 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Christian Heimes 2019-07-23 11:18:48 UTC
This bug was initially created as a copy of Bug #1727835

I am copying this bug because: 
IPA is going to change the pki config template as workaround.

Description of problem: cacert.p12 fails to get imported.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Install IPA server. Ensure cacert.p12 file is present
2. Try to import the file using the pki command.

#pki -v -d  /tmp/test -c Secret123 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123

Actual results:
[root@ipa ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.1 Beta (Ootpa)

[root@ipa test]# pki -v -d  /tmp/test -c Secret123 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
PKI options: -v -d /tmp/test -c Secret123
PKI command: 8080 -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Server URL: http://ipa.example.test:8080
NSS database: /tmp/test
Message format: null
Command: client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123
Module: client
Module: cert-import
Importing certificates from /root/cacert.p12.
External command: /usr/bin/pk12util -d /tmp/test -k /tmp/pki-client-cert-import-4556096729051108750.nssdb-pwd -i /root/cacert.p12 -w /tmp/pki-client-cert-import-1914323035172484393.pkcs12-pwd
java.lang.Exception: Unable to import PKCS #12 file
        at com.netscape.cmstools.client.ClientCertImportCLI.importPKCS12(ClientCertImportCLI.java:490)
        at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:231)
        at org.dogtagpki.cli.CLI.execute(CLI.java:345)
        at org.dogtagpki.cli.CLI.execute(CLI.java:345)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:667)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:703)
Caused by: org.dogtagpki.cli.CLIException: External command failed. RC: 18
        at org.dogtagpki.cli.CLI.runExternal(CLI.java:386)
        at org.dogtagpki.cli.CLI.runExternal(CLI.java:358)
        at com.netscape.cmstools.client.ClientCertImportCLI.importPKCS12(ClientCertImportCLI.java:488)
        ... 5 more
ERROR: Command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -p 8080 client-cert-import --pkcs12 /root/cacert.p12 --pkcs12-password Secret123

Expected results: The cacert.p12 file should get imported. It works in RHEL7.7

Additional info: Attaching the logs for reference.

Comment 3 Christian Heimes 2019-09-18 08:06:56 UTC
Moving to 8.2

In #1727835 Endi recommended to disable pki_backup_keys and suggested to use PKCS12Export to backup the NSSDB after installation instead:

    $ PKCS12Export -d /etc/pki/pki-tomcat/alias -p password.txt -o /root/cacert.p12 -w password.txt

Comment 9 Petr Vobornik 2021-01-27 14:48:56 UTC
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team

Note You need to log in before you can comment on or make changes to this bug.